nicosingh/iam.tf

## iam.tf
# create some variables
variable "name_prefix" {
  type        = string
  description = "Prefix to be used on each infrastructure object Name created in AWS."
}
variable "admin_users" {
  type        = list(string)
  description = "List of Kubernetes admins."
}
variable "developer_users" {
  type        = list(string)
  description = "List of Kubernetes developers."
}

# create Admins & Developers user maps
locals {
  admin_user_map_users = [
    for admin_user in var.admin_users :
    {
      userarn  = "arn:aws:iam::${data.aws_caller_identity.current.account_id}:user/${admin_user}"
      username = admin_user
      groups   = ["system:masters"]
    }
  ]
  developer_user_map_users = [
    for developer_user in var.developer_users :
    {
      userarn  = "arn:aws:iam::${data.aws_caller_identity.current.account_id}:user/${developer_user}"
      username = developer_user
      groups   = ["${var.name_prefix}-developers"]
    }
  ]
}

# add 'mapUsers' section to 'aws-auth' configmap with Admins & Developers
resource "time_sleep" "wait" {
  create_duration = "180s"
  triggers = {
    cluster_endpoint = var.cluster_endpoint
  }
}
resource "kubernetes_config_map_v1_data" "aws_auth_users" {
  metadata {
    name      = "aws-auth"
    namespace = "kube-system"
  }

  data = {
    mapUsers = yamlencode(concat(local.admin_user_map_users, local.developer_user_map_users))
  }

  force = true

  depends_on = [time_sleep.wait]
}

# create developers Role using RBAC
resource "kubernetes_cluster_role" "iam_roles_developers" {
  metadata {
    name = "${var.name_prefix}-developers"
  }

  rule {
    api_groups = ["*"]
    resources  = ["pods", "pods/log", "deployments", "ingresses", "services"]
    verbs      = ["get", "list"]
  }

  rule {
    api_groups = ["*"]
    resources  = ["pods/exec"]
    verbs      = ["create"]
  }

  rule {
    api_groups = ["*"]
    resources  = ["pods/portforward"]
    verbs      = ["*"]
  }
}

# bind developer Users with their Role
resource "kubernetes_cluster_role_binding" "iam_roles_developers" {
  metadata {
    name = "${var.name_prefix}-developers"
  }

  role_ref {
    api_group = "rbac.authorization.k8s.io"
    kind      = "ClusterRole"
    name      = "${var.name_prefix}-developers"
  }

  dynamic "subject" {
    for_each = toset(var.developer_users)

    content {
      name      = subject.key
      kind      = "User"
      api_group = "rbac.authorization.k8s.io"
    }
  }
}
	# create some variables
	variable "name_prefix" {
	type = string
	description = "Prefix to be used on each infrastructure object Name created in AWS."
	}
	variable "admin_users" {
	type = list(string)
	description = "List of Kubernetes admins."
	}
	variable "developer_users" {
	type = list(string)
	description = "List of Kubernetes developers."
	}

	# create Admins & Developers user maps
	locals {
	admin_user_map_users = [
	for admin_user in var.admin_users :
	{
	userarn = "arn:aws:iam::${data.aws_caller_identity.current.account_id}:user/${admin_user}"
	username = admin_user
	groups = ["system:masters"]
	}
	]
	developer_user_map_users = [
	for developer_user in var.developer_users :
	{
	userarn = "arn:aws:iam::${data.aws_caller_identity.current.account_id}:user/${developer_user}"
	username = developer_user
	groups = ["${var.name_prefix}-developers"]
	}
	]
	}

	# add 'mapUsers' section to 'aws-auth' configmap with Admins & Developers
	resource "time_sleep" "wait" {
	create_duration = "180s"
	triggers = {
	cluster_endpoint = var.cluster_endpoint
	}
	}
	resource "kubernetes_config_map_v1_data" "aws_auth_users" {
	metadata {
	name = "aws-auth"
	namespace = "kube-system"
	}

	data = {
	mapUsers = yamlencode(concat(local.admin_user_map_users, local.developer_user_map_users))
	}

	force = true

	depends_on = [time_sleep.wait]
	}

	# create developers Role using RBAC
	resource "kubernetes_cluster_role" "iam_roles_developers" {
	metadata {
	name = "${var.name_prefix}-developers"
	}

	rule {
	api_groups = ["*"]
	resources = ["pods", "pods/log", "deployments", "ingresses", "services"]
	verbs = ["get", "list"]
	}

	rule {
	api_groups = ["*"]
	resources = ["pods/exec"]
	verbs = ["create"]
	}

	rule {
	api_groups = ["*"]
	resources = ["pods/portforward"]
	verbs = ["*"]
	}
	}

	# bind developer Users with their Role
	resource "kubernetes_cluster_role_binding" "iam_roles_developers" {
	metadata {
	name = "${var.name_prefix}-developers"
	}

	role_ref {
	api_group = "rbac.authorization.k8s.io"
	kind = "ClusterRole"
	name = "${var.name_prefix}-developers"
	}

	dynamic "subject" {
	for_each = toset(var.developer_users)

	content {
	name = subject.key
	kind = "User"
	api_group = "rbac.authorization.k8s.io"
	}
	}
	}